SoD compliance: Still a challenge for organisations of all sizes in 2023

Best practice lessonsSupportImplement
Written By Mark Stanley

In this, the second in a series of posts about the types of business problems we, as SAP security specialists, get asked to help our clients resolve, we’re having a look at the perennial issue of segregation of duties (SoD) management.

 

SoD is a subject that still strikes panic into otherwise well rounded sensible people and is often still misunderstood by many. Some years ago I thought there’d be a time when most organisations would have been on top of managing this important area but rest assured, you're definitely not alone if this is still on your radar!

 

The real business challenge of managing SoD Issues

 

To fully understand SoD and get an appreciation of the importance of dealing with it properly, it’s useful to look at how some of the issues around the subject manifest themselves in the real world.

 

Financial risks: Financial loss or regulatory non-compliance can happen due to SoD problems. The impacts can be big and can end up affecting your company’s bottom line, in which case you’ll be assured of extreme focus on the problem and what caused it. I think I’m right in saying we should all be doing our utmost to avoid this kind of scrutiny.

Security vulnerabilities: Unresolved SoD issues can expose your sensitive data to unauthorised access, compromising your security and compliance to things like data protection.

Undefined SoD policies: Lack of a clear SoD policy can lead to confusion and compliance gaps. This is really the starting point in understanding SoD and having a chance of managing it properly.

Inadequate risk assessment: Identifying SoD risks accurately is crucial for resolution and/ or mitigation. Definition of what constitutes SoD risk varies from company to company according to SAP functionality deployed and risk appetite and is a vital early step. Having processes and/ or technology in place to then analyse your roles and users against risks relevant to your company is also required.

Complex authorisation structures: Overcomplicated or outdated role designs (covered in my last post) can breed conflicts, either making it difficult to assign the necessary SAP access to users, or more usually, causing an excess number of SoD violations.

Emergency, development and support access: Notwithstanding the fact there are solutions in the market for managing this issue, managing enhanced access without compromising SoD can be tricky where getting the balance right between giving support partners the access they need with the need for business control remains a favourite subject.

Inefficient remediation: Correcting your SoD violations can be difficult and time consuming. Unaddressed SoD risks are never a good look and compromise compliance and security.

Audit pressure: Where there are SoD’s there will quite rightly be audit pressure to resolve them. Often this is the driver that results in action being taken. We clearly advocate for an approach where clients take action on this critical subject before it gets to this point, ideally by managing SoD in a proactive way to avoid issues occurring in the first place.

A strategic game of chess

A strategic approach to compliance

 

Pumpkin have helped many clients over the years with SoD related challenges. Our approach is tailored to your unique needs and circumstances; it's not your standard, one-size-fits-all solution. We believe in diving right in, getting our hands dirty to resolve issues under the guidance of our strategic roadmap, an approach that always delivers fast, efficient results.

 

What you can expect if you ask Pumpkin to look at your SoD’s

 

Thorough SoD strategy development: We'll work with you to establish crystal clear SoD policies that align with your business objectives. This is a really important point; having something that’s not aligned to your business or its people isn’t going to work. I’m a firm believer in user centric and common sense processes in order to get the best buy in from those that will determine whether or not an SoD project is successful.

 

Comprehensive risk analysis/ continuous SoD monitoring: Our team conduct in-depth risk analyses either at the start of a project or periodically over time to identify weaknesses and corresponding action plans ensuring that SoD issues are promptly identified and addressed.

 

Simplified role models: We’re experts at building a streamlined role design designed/ built for better efficiency and security with SoD compliance built in as standard.

 

Efficient remediation plans: We'll guide you through the remediation process with a focus on efficiency and effectiveness. This can be a tricky exercise to go through but we have a great track record of delivering fantastic risk reduction results for clients. For me, this is as much a change management exercise as it is a technical piece of SAP work. Remembering there is impact on end users and therefore managing expectations and the way it’s done, goes a long way.

 

#SODCompliance #SOD

 
Mark Stanley
Previous

Closing the net on back door access via custom developments
Next

The hidden costs of outdated SAP role models and what to do about it